California Attorney General Releases Proposed CCPA Regulations

Smart Summary for Businesses

  • The full proposed text of California Consumer Privacy Act regulations are available to the public and the California Office of the Attorney General will seek input until early December.
  • The regulations will affect companies not located in California, but that do gather data from California residents, businesses, etc.
  • Regulations include business practices for giving consumers notice, dealing with consumer requests, training employees, and more. 

The long-awaited proposed text of California Consumer Privacy Act (CCPA) regulations were released to the public on October 10th. Their full text is available here.

As the Kegler Brown team previously wrote, the CCPA becomes effective on January 1, 2020, and will require companies to create greater transparency about the collection, use, and sharing of California consumers’ personal information.

The proposed regulations do just that, providing guidance on topics including notice to consumers of data collection; consumers’ rights to opt-out, to opt back in, and to have their information deleted; and how to handle and respond to consumers’ requests. The regulations also cover record-keeping and the handling of minors’ information.

Following statute, the California Office of the Attorney General (OAG) will seek written comments on the proposed regulations and will hold public hearings for interested parties in early December, allowing for the regulations to be finalized in time to go into effect, and enforcement to begin July 1, 2020.

The proposed regulations are of interest to companies outside of California, as compliance will be required if that company receives personal information from California consumers while either: (i) exceeding annual gross revenues of $25 million; (ii) annually obtaining personal information of 50,000 or more California consumers, households or devices; or (iii) gaining 50 percent or more of their annual revenue from selling California consumers’ personal information.

It is yet unclear whether the $25 million annual gross revenue figure is limited only to sales in California or expanded to sales globally. Therefore, companies worldwide will need to act proactively to comply with these new requirements.

If you have questions on how to take proactive action in preparation for CCPA, or whether your company’s policies and practices are in compliance, contact David Wilson from our Privacy + Data Security team.